New Ruling on Misuse of Company Computers Clears Employee of Computer Data Theft

In a key ruling, the Ninth Circuit Court of Appeals has held that an employee is not liable under the federal Computer Fraud and Abuse Act (18 USC § 1030) if he is authorized to use a company computer but does so in a way that exceeds his authorization. Although the case turned on particular facts, the court commented on a classic fact pattern that is important to employers and employees around the country: What if an employee who was authorized to use his employer’s computer downloads a series of documents to himself personally and then uses the documents to compete against the employer? Is the employee liable under the statute for computer abuse? No. As long as the employee committed the actions at a time when he was authorized to use the employer’s computer, there was no violation of the CFAA. A person runs afoul of the statute only when he uses the employer’s equipment without any authorization (the classic example is an employee “hacking” into an employer’s system after he has been fired and stripped of his authority to use the system). In addition, the court held that for an employer to prove unauthorized access occurred, particular and precise evidence is required. The case is LVRC Holdings LLC v. Brekka, 2009 WL 2928952 (9th Cir. - Sept. 15, 2009). Two limitations on this holding should be noted: First, the case did not involved a written employment agreement or published employer policy that dealt with computer use (which might have supported a breach of contract claim). Second, it should be noted that at least one other court disagrees with this analysis and would hold an employee liable for the “disloyal” use of a company computer (see International Airport Centers LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006)).